Following the news that hackers used IoT devices to conduct the largest DDoS attack in history on the French hosting company OVH, Sean Newman, Director at Corero Network Security commented below.
Sean Newman, Director at Corero Network Security:
“With traditional security infrastructure, it’s hard for individual organisations to effectively protect themselves against such extreme attacks – by the time an attack has reached their network, the volume of traffic far outweighs their capacity and almost immediately they experience issues with network availability. However, relief from these types of attack can be obtained with proper mitigation techniques, which can be offered by Service providers.
“Although the general security of transiting traffic is not typically considered the domain of Carriers and higher-tier Service Providers, DDoS protection is a different prospect. The point being, that you don’t need to know about the destination to protect against DDoS – an attack is always going to be bad and the associated traffic can be safely dropped.
“The reason why Carriers and higher-tier Service Providers are well positioned to deliver this defence, is inherent in the way DDoS Attacks from Botnets, including those leveraging poorly secured IoT devices, are created – with a small amount of traffic originating from a huge number of devices, spread across the internet. As an attack transits the internet and approaches its target, it becomes increasingly aggregated, until the point where it hits the target at volumes which far exceed the network capacity of that target. If DDoS protection is implemented on peering and transit links of Service providers along that route then, at each point across the internet where the traffic becomes aggregated enough to appear as a DDoS attack, it can be detected and mitigated. This divide-and-conquer approach, of addressing the issue further back in the network, means that DDoS traffic is being mitigated way before the point it saturates any links or disrupts legitimate traffic.
“The obvious answer is to improve security on IoT devices, but there are multiple reasons why that will be slow and, in some cases, completely impractical. There are many Service /Cloud providers that are increasing their proactive DDoS protection measures, if you choose the right provider, relief from these botnet attacks can be obtained.
“With the explosion of devices, IoT manufacturers must get better at hardening them against being harnessed for nefarious purposes – simple exploits of the underlying operating systems, for example, should be guarded against. If security is considered from the initial design phase, significant improvements can be made without necessarily increasing costs or impacting performance, function, or usability.
“With the explosion in IoT, and the number of consumer devices alone predicted to exceed thirteen billion by 2020, the problem is sure to get worse, before it gets better.
“It’s hard for individual organisations to effectively protect themselves against such extreme attacks. By the time the attack traffic has reached their network, the volume of traffic far outweighs their capacity. To effectively protect against large-scale attacks, organisations need to choose service providers who can deliver the protection for them. Organisations should look for Service Providers who are using the latest generation of inline, always on, DDoS protection, across all their peering and transit links.”